2 * Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
12 #include <openssl/crypto.h>
13 #include <openssl/evp.h>
14 #include <openssl/core_names.h>
15 #include <openssl/params.h>
16 #include "internal/endian.h"
17 #include "crypto/modes.h"
18 #include "crypto/siv.h"
20 #ifndef OPENSSL_NO_SIV
22 __owur static ossl_inline uint32_t rotl8(uint32_t x)
24 return (x << 8) | (x >> 24);
27 __owur static ossl_inline uint32_t rotr8(uint32_t x)
29 return (x >> 8) | (x << 24);
32 __owur static ossl_inline uint64_t byteswap8(uint64_t x)
34 uint32_t high = (uint32_t)(x >> 32);
35 uint32_t low = (uint32_t)x;
37 high = (rotl8(high) & 0x00ff00ff) | (rotr8(high) & 0xff00ff00);
38 low = (rotl8(low) & 0x00ff00ff) | (rotr8(low) & 0xff00ff00);
39 return ((uint64_t)low) << 32 | (uint64_t)high;
42 __owur static ossl_inline uint64_t siv128_getword(SIV_BLOCK const *b, size_t i)
47 return byteswap8(b->word[i]);
51 static ossl_inline void siv128_putword(SIV_BLOCK *b, size_t i, uint64_t x)
56 b->word[i] = byteswap8(x);
61 static ossl_inline void siv128_xorblock(SIV_BLOCK *x,
64 x->word[0] ^= y->word[0];
65 x->word[1] ^= y->word[1];
69 * Doubles |b|, which is 16 bytes representing an element
70 * of GF(2**128) modulo the irreducible polynomial
71 * x**128 + x**7 + x**2 + x + 1.
72 * Assumes two's-complement arithmetic
74 static ossl_inline void siv128_dbl(SIV_BLOCK *b)
76 uint64_t high = siv128_getword(b, 0);
77 uint64_t low = siv128_getword(b, 1);
78 uint64_t high_carry = high & (((uint64_t)1) << 63);
79 uint64_t low_carry = low & (((uint64_t)1) << 63);
80 int64_t low_mask = -((int64_t)(high_carry >> 63)) & 0x87;
81 uint64_t high_mask = low_carry >> 63;
83 high = (high << 1) | high_mask;
84 low = (low << 1) ^ (uint64_t)low_mask;
85 siv128_putword(b, 0, high);
86 siv128_putword(b, 1, low);
89 __owur static ossl_inline int siv128_do_s2v_p(SIV128_CONTEXT *ctx, SIV_BLOCK *out,
90 unsigned char const* in, size_t len)
93 size_t out_len = sizeof(out->byte);
97 mac_ctx = EVP_MAC_dup_ctx(ctx->mac_ctx_init);
101 if (len >= SIV_LEN) {
102 if (!EVP_MAC_update(mac_ctx, in, len - SIV_LEN))
104 memcpy(&t, in + (len-SIV_LEN), SIV_LEN);
105 siv128_xorblock(&t, &ctx->d);
106 if (!EVP_MAC_update(mac_ctx, t.byte, SIV_LEN))
109 memset(&t, 0, sizeof(t));
113 siv128_xorblock(&t, &ctx->d);
114 if (!EVP_MAC_update(mac_ctx, t.byte, SIV_LEN))
117 if (!EVP_MAC_final(mac_ctx, out->byte, &out_len, sizeof(out->byte))
118 || out_len != SIV_LEN)
124 EVP_MAC_free_ctx(mac_ctx);
129 __owur static ossl_inline int siv128_do_encrypt(EVP_CIPHER_CTX *ctx, unsigned char *out,
130 unsigned char const *in, size_t len,
133 int out_len = (int)len;
135 if (!EVP_CipherInit_ex(ctx, NULL, NULL, NULL, icv->byte, 1))
137 return EVP_EncryptUpdate(ctx, out, &out_len, in, out_len);
141 * Create a new SIV128_CONTEXT
143 SIV128_CONTEXT *CRYPTO_siv128_new(const unsigned char *key, int klen, EVP_CIPHER* cbc, EVP_CIPHER* ctr)
148 if ((ctx = OPENSSL_malloc(sizeof(*ctx))) != NULL) {
149 ret = CRYPTO_siv128_init(ctx, key, klen, cbc, ctr);
159 * Initialise an existing SIV128_CONTEXT
161 int CRYPTO_siv128_init(SIV128_CONTEXT *ctx, const unsigned char *key, int klen,
162 const EVP_CIPHER* cbc, const EVP_CIPHER* ctr)
164 static const unsigned char zero[SIV_LEN] = { 0 };
165 size_t out_len = SIV_LEN;
166 EVP_MAC_CTX *mac_ctx = NULL;
167 OSSL_PARAM params[3];
168 const char *cbc_name = EVP_CIPHER_name(cbc);
170 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_CIPHER,
171 (char *)cbc_name, 0);
172 params[1] = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY,
174 params[2] = OSSL_PARAM_construct_end();
176 memset(&ctx->d, 0, sizeof(ctx->d));
177 ctx->cipher_ctx = NULL;
178 ctx->mac_ctx_init = NULL;
180 if (key == NULL || cbc == NULL || ctr == NULL
181 || (ctx->cipher_ctx = EVP_CIPHER_CTX_new()) == NULL
182 /* TODO(3.0) library context */
184 EVP_MAC_fetch(NULL, OSSL_MAC_NAME_CMAC, NULL)) == NULL
185 || (ctx->mac_ctx_init = EVP_MAC_new_ctx(ctx->mac)) == NULL
186 || !EVP_MAC_set_ctx_params(ctx->mac_ctx_init, params)
187 || !EVP_EncryptInit_ex(ctx->cipher_ctx, ctr, NULL, key + klen, NULL)
188 || (mac_ctx = EVP_MAC_dup_ctx(ctx->mac_ctx_init)) == NULL
189 || !EVP_MAC_update(mac_ctx, zero, sizeof(zero))
190 || !EVP_MAC_final(mac_ctx, ctx->d.byte, &out_len,
191 sizeof(ctx->d.byte))) {
192 EVP_CIPHER_CTX_free(ctx->cipher_ctx);
193 EVP_MAC_free_ctx(ctx->mac_ctx_init);
194 EVP_MAC_free_ctx(mac_ctx);
195 EVP_MAC_free(ctx->mac);
198 EVP_MAC_free_ctx(mac_ctx);
207 * Copy an SIV128_CONTEXT object
209 int CRYPTO_siv128_copy_ctx(SIV128_CONTEXT *dest, SIV128_CONTEXT *src)
211 memcpy(&dest->d, &src->d, sizeof(src->d));
212 if (!EVP_CIPHER_CTX_copy(dest->cipher_ctx, src->cipher_ctx))
214 EVP_MAC_free_ctx(dest->mac_ctx_init);
215 dest->mac_ctx_init = EVP_MAC_dup_ctx(src->mac_ctx_init);
216 if (dest->mac_ctx_init == NULL)
222 * Provide any AAD. This can be called multiple times.
223 * Per RFC5297, the last piece of associated data
224 * is the nonce, but it's not treated special
226 int CRYPTO_siv128_aad(SIV128_CONTEXT *ctx, const unsigned char *aad,
230 size_t out_len = SIV_LEN;
231 EVP_MAC_CTX *mac_ctx;
235 if ((mac_ctx = EVP_MAC_dup_ctx(ctx->mac_ctx_init)) == NULL
236 || !EVP_MAC_update(mac_ctx, aad, len)
237 || !EVP_MAC_final(mac_ctx, mac_out.byte, &out_len,
238 sizeof(mac_out.byte))
239 || out_len != SIV_LEN) {
240 EVP_MAC_free_ctx(mac_ctx);
243 EVP_MAC_free_ctx(mac_ctx);
245 siv128_xorblock(&ctx->d, &mac_out);
251 * Provide any data to be encrypted. This can be called once.
253 int CRYPTO_siv128_encrypt(SIV128_CONTEXT *ctx,
254 const unsigned char *in, unsigned char *out,
259 /* can only do one crypto operation */
260 if (ctx->crypto_ok == 0)
264 if (!siv128_do_s2v_p(ctx, &q, in, len))
267 memcpy(ctx->tag.byte, &q, SIV_LEN);
271 if (!siv128_do_encrypt(ctx->cipher_ctx, out, in, len, &q))
278 * Provide any data to be decrypted. This can be called once.
280 int CRYPTO_siv128_decrypt(SIV128_CONTEXT *ctx,
281 const unsigned char *in, unsigned char *out,
288 /* can only do one crypto operation */
289 if (ctx->crypto_ok == 0)
293 memcpy(&q, ctx->tag.byte, SIV_LEN);
297 if (!siv128_do_encrypt(ctx->cipher_ctx, out, in, len, &q)
298 || !siv128_do_s2v_p(ctx, &t, out, len))
302 for (i = 0; i < SIV_LEN; i++)
305 if ((t.word[0] | t.word[1]) != 0) {
306 OPENSSL_cleanse(out, len);
314 * Return the already calculated final result.
316 int CRYPTO_siv128_finish(SIV128_CONTEXT *ctx)
318 return ctx->final_ret;
324 int CRYPTO_siv128_set_tag(SIV128_CONTEXT *ctx, const unsigned char *tag, size_t len)
329 /* Copy the tag from the supplied buffer */
330 memcpy(ctx->tag.byte, tag, len);
335 * Retrieve the calculated tag
337 int CRYPTO_siv128_get_tag(SIV128_CONTEXT *ctx, unsigned char *tag, size_t len)
342 /* Copy the tag into the supplied buffer */
343 memcpy(tag, ctx->tag.byte, len);
348 * Release all resources
350 int CRYPTO_siv128_cleanup(SIV128_CONTEXT *ctx)
353 EVP_CIPHER_CTX_free(ctx->cipher_ctx);
354 ctx->cipher_ctx = NULL;
355 EVP_MAC_free_ctx(ctx->mac_ctx_init);
356 ctx->mac_ctx_init = NULL;
357 EVP_MAC_free(ctx->mac);
359 OPENSSL_cleanse(&ctx->d, sizeof(ctx->d));
360 OPENSSL_cleanse(&ctx->tag, sizeof(ctx->tag));
367 int CRYPTO_siv128_speed(SIV128_CONTEXT *ctx, int arg)
369 ctx->crypto_ok = (arg == 1) ? -1 : 1;
373 #endif /* OPENSSL_NO_SIV */